Botnet fast-flux cloacking and leasing on the rise

Security vendor RSA has reported an increase in the use of "fast-flux" to obscure zombie computer activities. However, University of Cambridge researchers disagree, saying it's the same botnet being leased out to others.

Security vendor RSA has reported an increase in the use of "fast-flux" to obscure zombie computer activities. However, University of Cambridge researchers disagree, saying it's the same botnet being leased out to others.

Fast-flux is a DNS technique that distributes command-and-control by constantly reallocating the servers controlling peer-to-peer botnets. It makes those servers difficult to identify and shut down, as they "move" around the network. Fast-flux can also be associated with the allocation of proxy servers to hide static command-and-control servers in botnets.

RSA said on Monday that the technique, widely reported as being used by the controllers of the Storm botnet, is now being used by at least three other compromised networks.

"We've definitely seen an increase in the trend of using fast-flux as an attack vector," RSA director of financial services Andrew Moloney said on Monday.

RSA refused to name the botnets or the gangs involved, and said naming them would compromise its surveillance. Senior RSA researcher Uriel Maimon told ZDNet.com.au's sister site ZDNet.co.uk that RSA had recently seen a gang using a combination of fast-flux DNS distributed command-and-control and routing all botnet traffic through proxy servers to further obfuscate the compromised networks.

However, researchers from the University of Cambridge have challenged RSA's claims, saying instead that the number of botnets using fast-flux has not increased in the past year but has remained constant.

"It has been fairly consistent for the past 12 months," said Tyler Moore, a researcher at the University of Cambridge Computer Laboratory. "We've mainly been tracking fast-flux websites used for phishing attacks but fast-flux networks are a for-hire service -- people pay to host whatever they want."

The researchers had not named the botnets, instead calling them "Fast-flux 1" and so on, and had detected three "pools" using fast-flux techniques.

Moore said that he had focused his research on group phishing sites, which attempt to dupe users into divulging sensitive information, and fast-flux sites claiming to sell pharmaceutical products.

Fast-flux sites are also used to recruit and interact with "money mules", who launder the proceeds of phishing crime for phishers.

The University of Cambridge researchers track which domains links in spam emails try to resolve to. Links to fast-flux networks automatically resolve to many different IP addresses.

Moore said that use of proxies to hide command-and-control servers, a technique most widely used by the Rock Phish gang, had also remained consistent for the past year.

"We don't track them beyond the proxies," said Moore. "We leave it to SOCA and the FBI to go after Rock Phish."